An effective weapon against cybercrime ‐ CREDS

By CREDS | 23 Apr 2024

An effective weapon against cybercrime

We reveal the cyber attack path to your crown jewels

Making security against cyber attacks accessible to larger SMEs. That’s the mission of Ralf Bardoel and Daan Wagenaar, inspired founders of CREDS, experts in offensive security.

And with “offensive” and “accessible” the company, founded four years ago, makes a big difference. Ralf Bardoel explains, “CREDS Automated Red Teaming (ART) is a platform that tests the cyber resilience of organizations by executing real attacks. And because this happens 24/7 and fully automated, optimal cyber security is now also available to small and medium enterprises (SME).”

Because, Bardoel stresses: It’s affordable. “Our platform doesn’t sleep, doesn’t drink coffee and can handle large networks in an automated way. Although we do check in with customers every day, because sometimes the human eye sees just a little differently. Our service is distinguished by that automation. CREDS ART attacks systems with - as we call it - rubber bullets. Whereby actual damage is limited as much as possible. But at the same time, after an attack we can detect vulnerabilities and risks that need urgent attention. With that independence from human intervention and continuous availability, we now offer SMEs a highly effective weapon against cybercrime.”

Real-time results through continuous insight and concrete areas for improvement

His colleague and co-founder of CREDS, Daan Wagenaar: “Many SME entrepreneurs think penetration tests and scanners provide adequate defense against cyber crime. But testing means you are dependent on external partners. Moreover, they cover only part of the IT, often have to be planned long in advance and, as a rule, are often performed only once a year. Scanners offer no depth, display many false positives and impact is not always a priority. And this is where our added value comes in. Automatic attacks, always available, always up to date. With real-time results, constant insight and the provision of concrete points of improvement.”

For more than four years, Wagenaar and Bardoel worked on their platform. Daan Wagenaar studied Computer Science and worked as a cyber security consultant at KPMG. There he became a colleague of Ralf Bardoel, who earned his master’s degree in financial business economics from Tilburg University. “After first working as an ethical hacker at Ordina, I switched to KPMG. There, at Information Protection Services, Daan and I got to know each other. And we eventually decided to continue as entrepreneurs.”

Thanks to both initiators and a team of five cyber experts, the CREDS ART platform is now available to companies and organizations. “Customers make their own choice from the different attacks CREDS ART provides,” Daan Wagenaar explains. “For example, they can attack their public IT infrastructure and cloud environment from the Internet to detect their vulnerabilities. Or send phishing emails to demonstrate the impact of a compromised employee .”

What are the consequences if a colleague is infected with ransomware?

Ralf Bardoel adds: “Our client launches an attack from his or her office or data center to test the impact of a coworker being compromised. And what are the consequences for business operations if a colleague gets infected with ransomware?”

The fight against cybercrime is an ongoing arms race and requires a determination. Flexibility and adaptability are in pole position to neutralize that looming danger. At CREDS, they believe that the best way to ward off attackers is to take control and examine the goals, tools, techniques and patterns of an enemy cyber offensive. By detecting one’s own IT weaknesses, future abuse can be prevented, according to the CREDS strategy. “We are hackers at heart and wear white hat for a good cause. Security is our passion, not our job.”

Customers can determine their risk appetite themselves and per server

Ralf Bardoel: “The practice is that customers onboard to our online portal, follow the login procedure and then start the attack on their own organization themselves (or with help). Thereby they can choose from different “maturity levels”, the customer is in control, can brake and adjust. At the highest level, for example, your server goes down. Customers can determine their own risk appetite per server. Because in the event of a real attack, there is the risk of collateral damage. At most levels, this is limited to rebooting systems. We find weaknesses, gaps in security, by sending our friendly virus, our “virus with a smile”. What ultimately matters; closing all attack angles, achieving maximum resilience to defend those crown jewels. Think about breaking into accounts with high privileges, think about taking over the cloud environment, think about infiltrating financial records.”

“In the larger SMEs there a lot of progress can be made, cyber awareness is often zero and security is not high on the agenda,” is Daan Wagenaar’s belief. “Think of sectors like horticulture, food suppliers, that transport company with 200 employees and an annual turnover of between 5 and 10 million euros. Security against cyber crime is certainly not the first priority for such an organization. But if cyber criminals strike, it can wreak havoc on a company for a long time. With all its financial and reputational consequences. For us it is important to convince potential customers that the best defense is an attack on yourself. Because then you filter those weaknesses out of your defenses, then you can build that really effective blockade against cyber criminals.”

Ransomware is everyday business in SMEs, every DGA is dealing with it

Many SME entrepreneurs will say that their cyber security is already taken care of by their own IT suppliers. “Well”, states Wagenaar, “we are not part of any IT supplier, to avoid the story of “toilet duck tests toilet duck as best”. Of course, it’s never fun for the IT party when we dig those few spades deeper and then the dashboard turns deep red. Because a single ART scan often shows that the same IT vendor does not see such a high-tech attack at all. Our goal is to upgrade expectation management on the front end, to raise the security level to the highest possible level.”

“Cyber insurance requires increasingly higher premiums,” says Ralf Bardoel. “In addition, with the EU NIS2 directive, legislation around information security is getting stricter. Now our platform is ready to fight cyber crime and it’s time for the real rollout. The price tag for that medium to large SMB customer? That depends on the different attack perspectives that are ultimately chosen. Internal and external? Weekly, monthly, semi-annually? The investment ranges from 3,000 to 32,000 euros per year. This is an investment but pales into insignificance when one considers the risks that are reduced and any costs involved in ransomware attacks. In addition, new legislation also requires DGAs to take information security seriously and ART is an effective way to fulfill some of these requirements.